The enforcement of the General Data Protection Regulation (GDPR) on the 25th May 2018 threw more than a few companies into a state of panic and confusion, largely due to the breadth and reach of the legislation, not to mention the severity of its sanctions. While data protection legislation has been at the forefront of EU policy for nearly two decades, with GDPR it is the first time that such legislation will be enforced across the board, with no exceptions or variations across jurisdictions.
The manual intervention required to become compliant with GDPR legislation drew the attention of Aqubix, which set about designing a product that would streamline the work people would have to carry out on their data in order to make it GDPR-ready. “After the success of our previous product – KYC Portal – we started thinking about the manual intervention required for GDPR," says Aqubix CEO Kristoff Zammit Ciantar. "The larger the company is, the greater the hassle to ensure you have people to process requests, make sure everything is in place, and so on, so that’s where the idea for GDPR Auto stemmed from. We presented a beta concept of the programme, which we showed to a large number of companies, and people soon realised that with the focus currently being on ticking the right boxes before 25th May, nobody is really thinking beyond that. How will I manage the data? How do I start auditing everything? How will I make sure everything is being handled within 30 days of the request?”
Mr Zammit Ciantar explains that GDPR Auto is the industry's first and only tool on the market that will make any organisation of any size a step closer to becoming fully GDPR-ready and compliant. “It's not only a technical solution but a business solution that delivers the required automation, as well as the embedded legal advice that dictates this regulation. It provides a starting point in the form of a set of audits, so that companies can self-assess and identify where they stand,” he says. The responses to the legal audit provide a full GAP Analysis report highlighting all the aspects that the company needs to start working on, in order to achieve GDPR compliance, with a detailed list of actions reflecting the answers to the audit provided by the company.
At this stage, if it is determined that any internal policies relevant to the data types being handled are required, the system will make all legal documentation available in the form of text templates, allowing the company to bring their processes in line with regulation. “Of course, this does not replace the need for human legal counsel – in fact, Aqubix works with law firm AMJ Legal, which allows it to provide both technical and legal hours to clients as part of the GDPR Auto package, giving clients peace of mind,” Mr Zammit Ciantar adds. Another requirement that forms part of GDPR which an organisation may find particularly difficult to do manually is the mapping of data processes. Again, here GDPR Auto simplifies and streamlines what would otherwise be a taxing and long-winded process into a simple function.
While the standardisation of new data is challenging enough under the new legislation, making sure past data, collected long before GDPR compliance was a concern, is another issue that has been a stumbling block for many firms. “When some companies realised that some of the data they held was not fully GDPR-compliant, they considered purging their collection of data entirely, some of which spanned several decades. This would have been a huge and valuable loss,” Mr Zammit Ciantar points out. GDPR Auto has a solution for this too – once subject data is mapped out, the programme allows for individual and bulk opt-in audited consent acquisition, as well as regular/scheduled re-consent processes across all aspects of the data being held. “This feature allows the user to instantly identify what data is authorised for specific use, and immediately excludes use that is not permitted under GDPR. At the same time, it manages the requirement for individual assent that the customer may not have even thought about or agreed to at the time, ensuring that the company is in full compliance with the legal provision.” Individuals whose data has been collected are provided with a means to update their data and ensure that whatever information being kept is correct; namely a secure portal, bolstered by two-factor authentication, through which data can be managed and requests for updates to be sent. Once reviewed by the data protection officer, such change requests are communicated internally over the platform for execution keeping a full audit trail of accountability with system owners and third party processors.
GDPR Auto has garnered interest from a wide range of businesses within the EU, as well as non-European companies that do business with Europe, including firms from the US and Turkey. Its adaptability for companies of different kinds and sizes has also made it a versatile tool for businesses to have in their arsenal. “Even though it will still prove to be quite a challenge, small companies handling a few subjects can likely get away with bringing its processes up to scratch manually. Such approach might work in the short term, however it is not a sustainable model knowing that GDPR is here to stay. For larger companies, or companies with an ambition to grow, GDPR Auto will save a lot of time and effort, not just now, but in the coming years too.”
When it comes to discussing how GDPR will affect the business landscape in Malta, Mr Zammit Ciantar believes that most of the advantages GDPR will introduce, will mostly apply to protecting the individual and not to businesses per se. “Companies will be penalised for acquiring data in ways that are not authorised, and the legislation will safeguard against data breaches, ensuring that everyone is fulfilling their remit. This is a significant problem in Malta – companies found to be misusing private information would previously get away with nothing more than a slap on the wrist. GDPR will change all that.” However, he maintains a realistic view of how long it will take before results begin to make themselves visible. “The first year following the ratification of GDPR will most likely be a period of adjustment to the new legislation. But as we’ve seen with previous measures and directives from the EU, it is only when fines start being levied that we will start seeing serious action being taken by businesses.”
The full version of this case study originally appeared in The Commercial Courier